{ "id": "74b9d5e9-82f1-4750-b8fe-48a8a19c3b26", "created_at": "2026-04-06T00:12:28.951412Z", "updated_at": "2026-04-10T13:12:30.936526Z", "deleted_at": null, "sha1_hash": "04d65a87552a6948fe0b6312edd8f177374b394e", "title": "Gamaredon Group - Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 115658, "plain_text": "Gamaredon Group - Threat Group Cards: A Threat Actor\r\nEncyclopedia\r\nArchived: 2026-04-05 16:33:41 UTC\r\nHome \u003e List all groups \u003e Gamaredon Group\r\n APT group: Gamaredon Group\r\nNames\r\nGamaredon Group (Palo Alto)\r\nWinterflounder (iDefense)\r\nPrimitive Bear (CrowdStrike)\r\nBlueAlpha (Recorded Future)\r\nBlue Otso (PWC)\r\nIron Tilden (SecureWorks)\r\nArmageddon (SSU)\r\nSectorC08 (ThreatRecon)\r\nCallisto (NATO Association of Canada)\r\nShuckworm (Symantec)\r\nActinium (Microsoft)\r\nTrident Ursa (Palo Alto)\r\nDEV-0157 (Microsoft)\r\nUAC-0010 (CERT-UA)\r\nAqua Blizzard (Microsoft)\r\nUNC530 (?)\r\nG0047 (MITRE)\r\nCountry Russia\r\nSponsor State-sponsored, FSB Centre 18: Centre for Information Security (TsIB)\r\nMotivation Information theft and espionage\r\nFirst seen 2013\r\nDescription (Lookingglass) The Lookingglass Cyber Threat Intelligence Group (CTIG) has been\r\ntracking an ongoing cyber espionage campaign named “Operation Armageddon”. The\r\nname was derived from multiple Microsoft Word documents used in the attacks.\r\n“Armagedon” (spelled incorrectly) was found in the “Last Saved By” and “Author”\r\nfields in multiple Microsoft Word documents. Although continuously developed, the\r\ncampaign has been intermittently active at a small scale, and uses unsophisticated\r\ntechniques. The attack timing suggests the campaign initially started due to Ukraine’s\r\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7\r\nPage 1 of 6\n\ndecision to accept the Ukraine-\n‐European Union Association Agreement (AA). The\nagreement was designed to improve economic integrations between Ukraine and the\nEuropean Union. Russian leaders publicly stated that they believed this move by Ukraine\ndirectly threatened Russia’s national security. Although initial steps to join the\nAssociation occurred in March 2012, the campaign didn’t start until much later (mid‐\n2013), as Ukraine and the EU started to more actively move towards the agreement.\nRussian actors began preparing for attacks in case Ukraine finalized the AA. The earliest\nidentified modification timestamp of malware used in this campaign is June 26, 2013. A\ngroup of files with modification timestamps between August 12 and September 16, 2013\nwere used in the first wave of spear-phishing attacks, targeting government officials prior\nto the 10th Yalta Annual Meeting: “Changing Ukraine in a Changing World: Factors of\nSuccess.”\nObserved\nSectors: Defense, Government, Law enforcement, NGOs and diplomats and journalists.\nCountries: Albania, Austria, Australia, Bangladesh, Brazil, Canada, Chile, China,\nColombia, Croatia, Denmark, Georgia, Germany, Guatemala, Honduras, India, Indonesia,\nIran, Israel, Italy, Japan, Kazakhstan, Latvia, Malaysia, Netherlands, Nigeria, Norway,\nPakistan, Papua New Guinea, Poland, Portugal, Romania, Russia, South Africa, South\nKorea, Spain, Sweden, Turkey, UK, Ukraine, USA, Vietnam.\nTools used\nAversome infector, BoneSpy, DessertDown, DilongTrash, DinoTrain, EvilGnome,\nFRAUDROP, Gamaredon, GammaDrop, GammaLoad, GammaSteel, ObfuBerry,\nObfuMerry, PlainGnome, PowerPunch, Pteranodon, QuietSieve, RemcosRAT, RMS,\nResetter, SUBTLE-PAWS, UltraVNC.\nOperations performed\nApr 2019\nThe discovered attack appears to be designed to lure military personnel: it\nleverages a legit document of the “State of the Armed Forces of Ukraine”\ndated back in the 2nd April 2019.\nMay 2019\nThe Gamaredon attacks against Ukraine doesn’t seem to have stopped.\nAfter a month since our last report we spotted a new suspicious email\npotentially linked to the Gamaredon group.\nJul 2019\nEvilGnome: Rare Malware Spying on Linux Desktop Users\nOct 2019 Lure documents observed appear to target Ukrainian entities such as\ndiplomats, government employees, military officials, and more.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7\nPage 2 of 6\n\nNov 2019\nNew wave of attacks\nDec 2019\nGamaredon APT Improves Toolset to Target Ukraine Government,\nMilitary\nMar 2020\nMoving into March 2020, countries worldwide are still struggling to\nmanage the spread of the viral disease now known as COVID-19. In\ncyberspace, threat actors are using the topic of COVID-19 to their\nadvantage with numerous examples of malicious activity using COVID-19 as lure documents in phishing campaigns.\nEarly 2020\nSince the beginning of 2020 there are reports that APT group has taken\nadvantage of the coronavirus pandemic and used it as a lure to attract\nvictims to open malicious attachments sent with spearphishing emails.\nApr 2020\nThe attacks we found all arrived through targeted emails (MITRE\nATT\u0026CK framework ID T1193). One of them even had the subject\n“Coronavirus (2019-nCoV).”\nJan 2021\nRussia-Sponsored Group Employs Apparently Legitimate Documents\nAligned to Growing Hostilities Between Russia and Ukraine\nJul 2021\nShuckworm Continues Cyber-Espionage Attacks Against Ukraine\nOct 2021 Since October 2021, ACTINIUM has targeted or compromised accounts\nat organizations critical to emergency response and ensuring the security\nof Ukrainian territory, as well as organizations that would be involved in\ncoordinating the distribution of international and humanitarian aid to\nUkraine in a crisis.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7\nPage 3 of 6\n\nDec 2021\nLookout Discovers Two Russian Android Spyware Families from\nGamaredon APT\nJan 2022\nRussia’s Gamaredon aka Primitive Bear APT Group Actively Targeting\nUkraine\nFeb 2022\nGamaredon APT utilised new malware payloads to target Ukraine\nFeb 2022\nRussia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations\nUnwavering Since Invasion of Ukraine\nMar 2022\nNetwork Footprints of Gamaredon Group\nApr 2022\nUkraine spots Russian-linked 'Armageddon' phishing attacks\nApr 2022\nShuckworm: Espionage Group Continues Intense Campaign Against\nUkraine\nMay 2022\nUkraine CERT-UA warns of new attacks launched by Russia-linked\nArmageddon APT\nJul 2022\nShuckworm: Russia-Linked Group Maintains Ukraine Focus\nSep 2022\nGamaredon APT targets Ukrainian government agencies in new campaign\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7\nPage 4 of 6\n\nNov 2022\nGamaredon (Ab)uses Telegram to Target Ukrainian Organizations\nNov 2022\nCyberattacks Targeting Ukraine Increase 20-fold at End of 2022 Fueled by\nRussia-linked Gamaredon Activity\nJan 2023\nRussia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware\nJan 2024\nOperation “STEADY#URSA”\nSecuronix Threat Research Security Advisory: Analysis and Detection of\nSTEADY#URSA Attack Campaign Targeting Ukraine Military Dropping\nNew Covert SUBTLE-PAWS PowerShell Backdoor\nSep 2024\nBlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging\nInfrastructure\nOct 2024\nESET Research: Russia’s Gamaredon APT group unleashed spearphishing\ncampaigns against Ukraine with an evolved toolset\nNov 2024\nGamaredon campaign abuses LNK files to distribute Remcos backdoor\nFeb 2025\nShuckworm Targets Foreign Military Mission Based in Ukraine\nCounter operations\nJun 2024\nRussian hackers sanctioned by European Council for attacks on EU and\nUkraine\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7\nPage 5 of 6\n\nOct 2024\nUkraine sentences two hackers from Russia-linked Armageddon group\nInformation\nMITRE ATT\u0026CK Playbook Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7" ], "report_names": [ "showcard.cgi?u=a48ab06b-092a-481d-ae0b-c4050ed281f7" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "79bd28a6-dc10-419b-bee7-25511ae9d3d4", "created_at": "2023-01-06T13:46:38.581534Z", "updated_at": "2026-04-10T02:00:03.029872Z", "deleted_at": null, "main_name": "Callisto", "aliases": [ "BlueCharlie", "Star Blizzard", "TAG-53", "Blue Callisto", "TA446", "IRON FRONTIER", "UNC4057", "COLDRIVER", "SEABORGIUM", "GOSSAMER BEAR" ], "source_name": "MISPGALAXY:Callisto", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434348, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/04d65a87552a6948fe0b6312edd8f177374b394e.pdf", "text": "https://archive.orkl.eu/04d65a87552a6948fe0b6312edd8f177374b394e.txt", "img": "https://archive.orkl.eu/04d65a87552a6948fe0b6312edd8f177374b394e.jpg" } }